How to comply with cloud rules: four recommendations for compliance with cloud computing

In theory, cloud computing seems simple, and cloud deployment and licensing are the most attractive assets. But when it does, things are coming. You will find that it is not so easy to comply with the cloud, there are many problems to think about. Cloud rules are ubiquitous, large to government regulations, such as Oxley, EU data protection laws, and small to industry regulations, such as the payment Card Industry Data Security Standard (PCI DSS) and the American Health Insurance Portability and Accountability Act (HIPAA). You may have achieved internal control, but you have to give up some control of the vendor in the process of migrating the public cloud infrastructure platform or cloud-based application suite.

This is one of the major problems facing many auditors, CIOs and CEOs today. They are eager to know: how to vigorously develop the "cloud" while adhering to the cloud rules, to avoid reputation damage. Here are four suggestions from analysts, suppliers, and consultants:

1. Note The cloud's new challenges to it workloads

When evaluating cloud vendors, look for suppliers who identify and access management policies, and provide good strategies for data protection and emergency response. These are the most basic compliance requirements. Then, once you set specific compliance requirements for future suppliers, you are likely to face specific cloud challenges.

Data positioning is one of them. In the case of EU data protection Law, the bill prohibits the outflow of personal information from EU residents. To comply with regulatory requirements, your cloud provider should place the EU customer information on a European server.

Multiple tenants and a clear configuration also pose challenges. Public cloud vendors use multiple tenants to optimize server workloads and reduce costs. But that means you need to share server space with other businesses. Therefore, you should be aware of your cloud provider's protection measures to prevent any compromise. Determines whether encryption is based on the key level of the data. Take the American Health Insurance Portability and Accountability Act (HIPPA) as an example, requiring all user data to set a password, regardless of whether the data is in use.

As password identity authentication technology becomes more complex, it is increasingly challenging for users to clean up their configuration. Admittedly, the Federated Identity Management program helps users more easily log on to multiple "clouds," but it also makes configuration cleanup more tricky.

"When employees leave the company, you want to click the button, you can automatically close their Windows account and all enterprise internal applications." At the same time, you want employees ' mobile phones to have no access to corporate information, and employees have no access to enterprise SaaS applications. "The automatic cleanup configuration has not yet been implemented at the same time as the cloud platform and the internal deployment system," said Tom Kemp, Centrify president of the Identity Management and compliance tool provider.

2, tracking the rapidly changing cloud standards

Whether you like it or not, you are an early user of the cloud. You decide to migrate those apps into the cloud and when to migrate them will benefit from the understanding of the current evolution of cloud computing.

Now, you can follow the SAS Type II and ISO 270,012 standards to comply with the financial and information security of government and industry regulations, but can not guarantee that these regulations are suitable for the development of the company.

"The standards of ISO 27001 and SAS 70 are very helpful, but they may be outdated," said Jonathan Penn, vice president and chief analyst at the American Institute of Research in Hertfordshire. "They have no detailed rules on data security, identification, administrator control, and so forth." We must let the user know what is going to happen. Now it's basically a "black box". ”

To improve the transparency of the user is the important goal of Cloud Security Alliance, CSA company founded three years fast in users, auditors, service providers are well received. An important goal of the Cloud Security alliance is to standardize the audit framework and promote communication between users and cloud providers.

For example, the GRC (monitoring, risk and compliance) Standard Suite is progressing well with 4 key elements: Cloud Trust protocol, Cloud Audit, consensus assessment initiative, and cloud control matrix. Among them, the cloud control matrix lists the basic requirements that enterprises comply with their IT control domain standards, such as "Human resources-termination of employment relationship" in spreadsheet form. The Consensus Assessment initiative provides a detailed questionnaire to users and auditors on the specific expectations of suppliers in the field of control.

CSA and other alliances, industry groups, government agencies, the joint efforts of the next few years, the new standards will emerge. CSA has implemented formal alliances with ISO, the International Telecommunication Union (ITU), the United States National Standards and Technology Association (NIST) to help these organizations further refine their standards. As of the end of 2010, 48 industry groups have been working on cloud safety standards, according to Forrester Research.

3. Take the SLA seriously

Regardless of the size and status of your business, do not trust the cloud supplier's contract terms to meet your requirements. Start with a serious due diligence check on the supplier's contract.

This is a suggestion from--michael Larnei, a lawyer at Hogan Lovells law firm. Hogan Lovells is an international law firm with extensive experience in cloud compliance and security issues. Larner often helps customers negotiate service level agreements (Agreements,sla) with cloud vendors, he says, starting with a risk-benefit analysis to understand whether the standard contract terms of the cloud vendor meet your compliance requirements. If compliance requirements are not met, it is necessary to negotiate with the cloud vendor to increase the comfort level.

The size of the company can add weight to the negotiations, but small companies can also find the bargaining weights, and small companies are cloud providers trying to expand new industries. All in all, don't be afraid to negotiate with a cloud supplier under any circumstances.

"Many companies think a big cloud supplier will not negotiate with them," Larner said. In fact, you can increase your comfort level so that cloud providers will be happy to make an exception for you. ”

If you don't know much about the cloud, start with non-critical data, and you'll find that it's a good idea. Larner added.

But a rigorous assessment should not end with a full-scale SLA alone. Nirav Mehta, RSA's cloud strategy director, says you should keep a close eye on cloud providers. "You may have a good SLA, but what happens to business continuity if the vendor's cloud services are interrupted?"

Mehta that the best strategy is to use multiple clouds as a backup.

4, priority consideration of security issues

To better understand the potential risks and benefits of a business, you should discuss it with the cloud security team as early as possible, Forrester's Penn.

"Safety and compliance issues can be put on the agenda in the right environment." "The important thing is that executives can understand security issues and be able to weigh the risk level against the budget offered to mitigate certain risks," Penn said. ”

In the process of cloud migration, the formal risk assessment function of the Security Committee provides an opportunity for the enterprise to achieve an alliance of enterprise security and enterprise goals in a more lasting way. The security committee can help assess risks and make budget recommendations that meet the strategic objectives of the enterprise.

You should be aware of the security innovations provided by many security services and cloud supplier partners. Dome9 is Amazon's partner, which solves cloud-related technical issues-DOME9 shuts down these ports when not using the cloud server's SSH and other ports, so that attackers who have access to them cannot log on to the cloud server.

Dave Meizlik, vice president of Dome9, said: "In the enterprise, these ports are open by default." But when your cloud servers don't need to work, you want to be able to shut them down. And you can't shut down each server and ask the cloud provider to help you close the port.

Cloud computing may pose some risks, but when security innovations catch up, these risks naturally diminish. Even today, according to Forrester's Penn, "The security of cloud services will not be as pervasive as other it trends such as smartphones or social media, causing most businesses to worry about security issues." Fundamentally, for cloud applications, security issues will gradually diminish without causing increasing concern. ”

(Responsible editor: admin)